Blockchain-based admission processes for protected entities

ABSTRACT

A method and system for controlling access to a protected entity. The method includes receiving a redirected client request to access the protected entity that the protected entity denied; granting, in response to the received redirected request, access tokens of a first type to a client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, the transaction designating the protected entity; determining a conversion value for converting first-type access tokens into second-type of access tokens, the conversion value being based on at least one access parameter; converting, using the conversion value, a first sum of the first-type access tokens into a second sum of second-type access tokens; and granting the client access to the protected entity when the sum of second-type of access tokens is received as a payment from the protected entity.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. Ser. No. 15/994,414 filed May31, 2018, now allowed, which claims the benefit of U.S. ProvisionalApplication No. 62/663,132 filed on Apr. 26, 2018, the contents of whichare hereby incorporated by reference.

TECHNICAL FIELD

This disclosure generally relates to network security technology, andmore particularly to admission controls allowing deferential admissionto protected entities using blockchains decentralized ledgers.

BACKGROUND

In the related art, conventional admission control solutions aretypically third-party services which the access is requested. Forexample, Facebook® and Google® provide such services using the OAuthprotocol for admission control

In many enterprises, similar technology is utilized internally to allowaccess. For example, Windows® Single-Sign-On (SSO) based on a NT LANManager (NTLM) and Kerberos is used as centralized admission service forclients, servers, and applications. Typically, an admission service mayconsider many parameters in making an admission decision. For example, arole-based access control (RBAC) which is a method of regulating accessto computer or network resources based on the roles of individual userswithin an enterprise. The admission decision is typically anallow-or-deny property.

That is, an admission service considers the available parameters andonly the final decision is exposed to the protected entity, if theparameters satisfying a role in the form of a secure admission token(e.g., certificate or a session key). This allow-or-deny binary propertyof admission control system was historically sufficient as it wasassumed that all clients are coming from a relatively trustedenvironment. In the emerging, predominantly cloud driven, landscape asolution that can provide granular admission after evaluating the riskassociated with the access request is clearly needed.

In most cases, the admission to a protected entity requires a user toexpose private information over networks and sometimes over the Internet(e.g., user name, phone number, login credentials, etc.), thus admissionservice are vulnerable to privacy breaches.

Some existing admission control systems are based on a trustedthird-party service or infrastructure. For example, a CertificateAuthority (CA) used in Public Key Infrastructure (PKI) to infer trustbetween entities.

A replay attack is one security risk caused by the vulnerability ofadmission controllers and authentication technologies. In a replayattacks, a third-party adversary listens to the communication between anadmission controller and a client (or an admission service) and “replay”the captured communication to gain un-rightful admission. Addressingthis risk is in the heart of most admission control systems andprotocols. Typically, the communication between the admissioncontroller, the client (or service) is performed over protectedinteractive sessions. The interactive nature of existing solutionsimposes many limitations in system architecture, scale and systemavailability, thereby leading to costly and inflexible solutions.

In many cases, an admission request is originated from a maliciousentity such as a Bot. Addressing the bot risk is also many times in theproblem domain of admission systems. However, most admission systems cannot address this risk internally, thus relying on external third-partysolutions. This further increases the admission control complexity andinflexibility.

Blockchain is a technology that allows for fast, secure and transparentpeer-to-peer transfer of digital goods (e.g., money and intellectualproperty) built over a combination of proven technologies applied in anew way. Specifically, the fundamentals of blockchain are based on theInternet, a private key cryptography, a consensus algorithm and aprotocol governing incentivization.

The blockchain provides a system for digital interactions that providestransparency for transactions and does not require a trusted thirdparty. The infrastructure of the blockchain can be viewed as adecentralized immutable database, protected by advanced cryptography,and residing in a plurality of nodes in a large network.

The decentralized immutable database is a distributed ledger that isheld and updated independently by each node. The distribution is uniqueas records are not communicated to various nodes by a central authority,but are instead independently constructed and held by every node. Thatis, every single node on the network processes every transaction,resulting in self-conclusions, and then votes on those conclusions toensure that the majority agree with the conclusions. Once there isconsensus, the distributed ledger is updated, and each node maintainsits own identical copy of the same ledger.

A prime use for blockchain technologies is in virtual currencies orcryptocurrencies, such as Bitcoin, Ethereum, and Litecoin. In Bitcoin,for example, each time a transaction takes place, such as one partysending bitcoin directly to another, the transaction's details (e.g.,source, destination and date/timestamp) are added to what is referred toas a block. For example, the block contains the transaction with othersimilar types of recently submitted transactions. Then, the validity ofthe transactions within the cryptographically-protected block is checkedand confirmed by the collective computing power of nodes (miners) in thenetwork. A consensus reaching technology and game theory basedloose/gain procedure is used to make sure all nodes have the sameinformation, the nodes (or minters) are for example computers configuredto utilize their processing power to solve complex mathematicalproblems, such as complex hashing algorithms until a consensus isreached. Once solved, the block and all of its respective transactionsare verified as legitimate. When the transactions within a block aredeemed legitimate, the block is attached to the most recently verifiedblock in the chain, creating a sequential ledger which is viewable byall who desire.

This process continues in perpetuity, expanding upon the blockchain'scontents and providing a public record that can be trusted. In additionto being constantly updated, the chain and all of its blocks aredistributed across to all other nodes in the networks. This ensures thatthe latest version of this decentralized ledger exists virtuallyeverywhere, making it almost impossible to forge.

Most blockchain-based applications involve related monetary transactionsof virtual currencies. However, as blockchain technology advances, otherblockchain-based applications and uses are proposed. Such applicationsinclude establishing digital identity without exposing vulnerablepersonal information of users, recording smart legal contracts, auditingfinancial transactions, and automating regulatory compliance.

Cyber-security solutions related to blockchains, discussed in therelated art, are mainly directed at securing the transactions orinfrastructure of the blockchain (e.g., the distributed ledger, etc.).There are no available solutions for securing entities (e.g., servers,datacenters, and the like) outside of the blockchain infrastructureusing blockchain-based technologies. For example, there is noblockchain-based solution that can identify if an access request to aweb server is received from a legitimate user or a malicious bot.

Therefore, it would be advantageous to provide an efficient solutionthat would cure the deficiencies of existing security admissionsolutions while benefiting from Blockchain advantages.

SUMMARY

A summary of several example embodiments of the disclosure follows. Thissummary is provided for the convenience of the reader to provide a basicunderstanding of such embodiments and does not wholly define the breadthof the disclosure. This summary is not an extensive overview of allcontemplated embodiments, and is intended to neither identify key orcritical elements of all embodiments nor to delineate the scope of anyor all aspects. Its sole purpose is to present some concepts of one ormore embodiments in a simplified form as a prelude to the more detaileddescription that is presented later. For convenience, the term “certainembodiments” may be used herein to refer to a single embodiment ormultiple embodiments of the disclosure.

Certain embodiments disclosed herein include a method for controllingaccess to a protected entity. The method comprises receiving aredirected client request to access the protected entity that was deniedby the protected entity; granting, in response to the receivedredirected request, access tokens of a first type to a client;identifying a conversion transaction identifying a request to convertthe first type of access tokens with access tokens of a second type,wherein the transaction designates at least the protected entity;determining a conversion value for converting the first type of accesstokens into the second type of access tokens, wherein the conversionvalue is determined based on at least one access parameter; converting,based on the determined conversion value, a first sum of the first typeof access tokens into a second sum of the second type of access tokens;and granting the client access to the protected entity when the sum ofthe second type of access tokens is received as a payment from theprotected entity.

Certain embodiments disclosed herein also include an access system forcontrolling access to a protected entity. The system comprises aprocessing circuitry; and a memory, the memory containing instructionsthat when, executed by the processing circuitry, configure the accesssystem to: receive a redirected client request to access the protectedentity that was denied by the protected entity; grant, in response tothe received redirected request, access tokens of a first type to aclient; identify a conversion transaction identifying a conversion ofthe first type of access tokens with access tokens of a second type,wherein the transaction designates at least the protected entity;determine a conversion value for converting the first type of accesstokens into the second type of access tokens, wherein the conversionvalue is determined based on at least one access parameter; convert,based on the determined conversion value, a first sum of the first typeof access tokens into a second sum of the second type of access tokens;and grant the client access to the protected entity when the sum of thesecond type of access tokens is received as a payment from the protectedentity.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter disclosed herein is particularly pointed out anddistinctly claimed in the claims at the conclusion of the specification.The foregoing and other objects, features, and advantages of thedisclosed embodiments will be apparent from the following detaileddescription taken in conjunction with the accompanying drawings.

FIG. 1 is a network diagram utilized to describe the various disclosedembodiments.

FIG. 2 is a flow diagram illustrating a non-weighted blockchain-basedadmission process according to an embodiment.

FIG. 3 is a flow diagram illustrating a cost-based and blockchain-basedadmission process according to an embodiment.

FIG. 4 is a flow diagram illustrating a weighted blockchain-basedadmission process according to an embodiment.

FIG. 5 is an example flowchart illustrating a method forblockchain-based admission to a protected entity according to anembodiment.

FIG. 6 is an example block diagram of the admission system according toan embodiment.

FIG. 7 is a flow diagram illustrating a challenge process utilized bythe admission system according to an embodiment.

DETAILED DESCRIPTION

The embodiments disclosed herein are only examples of the many possibleadvantageous uses and implementations of the innovative teachingspresented herein. In general, statements made in the specification ofthe present application do not necessarily limit any of the variousclaimed embodiments. Moreover, some statements may apply to someinventive features but not to others. In general, unless otherwiseindicated, singular elements may be in plural and vice versa with noloss of generality. In the drawings, like numerals refer to like partsthrough several views.

According to the disclosed embodiments, techniques for allowingblockchain-based admission to protected entities are provided. Anadmission (or access) to a protected entity is given to a client aftergranting a number of one or more access tokens in the blockchain. The“spending” of such tokens is also performed via the blockchain network.In an embodiment, the access tokens and, hence, the admission to accessto a protected entity, are based on a non-linear model where there is aweight or “cost” is associated with each admission request. This isdifferent than a traditional admission model implemented by existingcyber security systems and admission-services, such as a role-basedaccess control (RBAC), where the admission is binary upon satisfying anaccess rule. In contrast, according to the disclosed embodiments, theadmission is weighted based on one or more access parameters set toweight the risk of false positive detection of an attacker admissionwith the risk of false negative detection of a legitimate user denial ofadmission. Furthermore, according to the disclosed embodiments, theadmission may optionally comprise a plurality of weighted parametersindicating the risk associated in multiple dimensions such as, but notrestricted to, risk in reading, risk in modifying, risk in sharing, onso on. Accordingly, the disclosed embodiments provide for increasedtemporal-accuracy access token verifications and, thus, more secureadmission, than existing admission solutions. The disclose embodimentsalso allow for detecting and mitigating the risk associated with Bots.The various disclosed embodiments will now be disclosed in greaterdetail.

FIG. 1 shows an example network diagram 100 utilized to describe thevarious disclosed embodiments. The network diagram 100 illustrated inFIG. 1 includes an admission system 110, a client 120, a blockchainpeer-to-peer network 130 (hereinafter referred to as the blockchainnetwork 130, merely for simplicity purposes), and a protected entity140. The entities in the network diagram 100 communicate via a network150, reside in the network 150, or both. The admission system 110controls and regulates admission of the client 120 by issuing to theclient 120 access tokens to be consumed by the protected entity 140 aswill be discussed in detail below. In certain implementations, a trustbroker 160 is also connected to the network 150 and communicativelyconnected to the blockchain network 130. As discussed below, the trustbroker 160 is configured to replace one type of access token withanother type of access token based, in part, on a non-linear conversionmodel for example using e^(−ct) as a multiplication factor where ‘ct’ isdriven from the time of last admission.

In an embodiment, the various entities discussed herein, the admissionsystem 110, client 120, protected entity 140, trust broker 160, andaudit system 170 act as full peer members in the blockchain network 130accessing it without intermediaries. In an embodiment, the audit system170 is integrated in the admission system.

In another embodiment, these entities can all be non-blockchain members.In such configuration, some or all these entities can enlist theservices of a third-party cryptocurrency wallet service or applicationto provide access to the blockchain network 130 as well as holding allrelevant crypto elements, such as keys. In yet another embodiment, theclient 120 and the protected entity 140 may optionally include means formaintaining tokens issued by the admission system 110 or utilized thecryptocurrency wallet described herein.

The network 150 may be, but is not limited to, a local area network, awide area network, the Internet, one or more data centers, a cloudcomputing infrastructure, a cellular network, a metropolitan areanetwork (MAN), or any combination thereof. The admission system 110, theprotect entity 140, or both, can be hosted in a cloud computingplatform, such as, but not limited to, a private cloud, a public cloud,a hybrid cloud, or any combination thereof. The client 120 may be a PC,a mobile phone, a smart phone, a tablet computer, a server, and thelike. The client 120 may be operated by a legitimate user, a program ormay be an attack tool.

The protected entity 140 is the entity to be protected from maliciousthreats. The protected entity 140 may be any network or computingelement including resources that can be accessed by the client 120. Forexample, the protected entity 140 may be a function in a serverlessarchitecture, an application server, a web server, a cloud application,a datacenter, a network device (e.g., a router, an ADC, etc.), afirewall (e.g., a web-application firewall), and so on.

In certain implementations, the network diagram 100 further includes anaudit system 170 utilized to record or log any transactions performedbetween two or more of the admission system 110, the client 120, thetrust broker 160, the protected entity 140. For example, the auditsystem 170 is configured to record whether an admission request isaccepted or not, the conversion value set for different types of accesstokens, a number of admission requests requested by the client 120, andso on. In another embodiment, the function of logging transactions bythe audit system 170 is performed on the blockchain network 130, i.e.,by its distributed ledger.

According to an embodiment, the admission system 110 may becommunicatively connected with the protected entity 140, where both theadmission system 110 and the protected entity 140 are peers in ablockchain peer-to-peer (P2P) network and may act as a proxy to the P2Pnetwork. For example, translating from HTTPS messages to message thatcan be transported on the P2P network. The admission system 110 and theprotected entity 140 may be configured each or both to receive orotherwise intercept requests (such as, but not limited to, HTTP/HTTPSrequests) generated by the client 120. The requests are directed usingthe device proxy function or using the native protocol redirectfunctions to the admission system 110. The secured datacenter can beoperable in a cloud-computing infrastructure, a hosting serverdatacenter, service provider networks, or a cooperative network.

It should be noted that, although one client 120 and one protectedentity 140 are illustrated in FIG. 1 merely for the sake of simplicity,the embodiments disclosed herein can be applied to a plurality ofclients, a plurality of protected entities, or both. Further, aplurality of admission systems can be utilized, or the admission system110 may be configured in a distributed implementation. The clients maybe located in different geographical locations. Furthermore, a singleclient 120 may be served by a plurality of admission servers 110concurrently.

It should be further noted that in certain embodiments, the admissionsystem 110 and the trust broker 160 may be implemented in a singlesystem or as a distributed system. Further, each element discussed abovecan also be integrated in a single system for example the admissionsystem 110 and protected entity 140 implemented as a single unifiedgateway.

In another embodiment, the admission system 110, the trust broker 160,and/or the protected entity 140 can be implemented in a network devicealready deployed in the network 150. Example for such a network deviceincludes an application delivery controller (ADC), load balancer, a webapplication firewall (WAF), a router, a firewall, and the like.

The blockchain network 130 is a collection of nodes (not labeled)utilized to maintain a distributed ledger and verified blocks, asdiscussed above. A node may be a physical machine, or a virtual machineexecuted by a machine having a sufficient computing power to verify ablock. In an embodiment, the nodes of the blockchain network 130 may beconfigured to handle proprietary tokens (e.g., verified block oftransactions for converting proprietary tokens). The proprietary tokensmay be of different types.

In another embodiment, the nodes of the blockchain network 130 may beconfigured to handle tokens of standard virtual currencies such as, butnot limited to, Bitcoin, Ethereum, Litecoin, and the like. For example,the infrastructure to the Ethereum blockchain network is based on acollection of nodes realized as Ethereum Virtual Machines (EVM)connected in a mesh connection. Each such node runs a copy of the entireblockchain and competes to mine the next block or validate atransaction. Further, each node in the blockchain network 130,implemented as Ethereum, maintains an updated copy of the entireEthereum blockchain. In an embodiment, the blockchain network 130 can beconfigured as a private network. In this embodiment, tokens (orcontracts) accessible to nodes that are connected to a private network,e.g., the blockchain network 130, operate in a private mode. In yetanother embodiment, a private token is utilized as part of a public orprivate Ethereum blockchain.

In another embodiment, the admission system 110 and the protected entity140 participate in a smart contract using the crypto EVM capabilities togrant and track admission of the client to the client 120. A smartcontract is a computer protocol intended to digitally facilitate,verify, or enforce the negotiation or performance of a contract definedas collection of executable computer code in one of many possiblecomputer languages such as but not limited to “Python”, “Java”, “R”,“Solidity” or any other computer languages used now or in the future toimplement blockchain based smart contracts. Smart contracts allow theperformance of credible transactions without the existence of trustedthird parties. These transactions are tractable and irreversible.

In an embodiment, the smart contract is generated (“written”) by theadmission system 110. The admission system 110 may determine thepre-conditions or conditions for the smart contract. Such conditions maybe determined based on, for example, the client 120, protected entity140, logged history, and so on. The smart contract, although beingfulfilled by, for example, the EVM (network 130) the contract generatedby the system 110 is independent of the network.

In should be noted that other embodiments utilizing other forms ofconsensus-based technologies can be used to implement the admissionsystem 110. For example, a Byzantine Fault Tolerance algorithm can beused for control and reach consensus over the Linux Foundationhyper-ledger implementation, over Corda, and the like.

It should be appreciated that, in some embodiments, utilizing theblockchain network 130 for the admission process allows maintainingprivacy of the user accessing the protected entity 140 while providingtransparency of admission transactions. Further, the blockchain network130 can be easily scaled, therefore providing a scalable solution.

In the example implementations described with respect to FIG. 1, theadmission to the protected entity 140 is delegated to and regulated bythe admission system 110 and is based, in part, on access tokensprovided by the admission system 110. The access tokens may be of thesame type or of different types. Further, the tokens may be proprietarytokens or may be based on standard virtual currencies or contracts, suchas those described above.

According to the disclosed embodiments, various blockchain-basedadmission processes can be implemented by the admission system 110. Inan embodiment, the admission system 110 provides access tokens to theclient 120, upon receiving a request to grant such tokens. The accesstokens are granted through the blockchain network 130. In other words,the granting of the access tokens is recorded as a transaction includedin a block of a blockchain maintained by the blockchain network 130.Upon requesting an access to the protected entity 140 by the client 120,the client 120 “pays” the protected entity 140 the access tokens.

This may be performed by revoking (spending) the access tokens grantedto the client 120 in order to gain access. In other words, the use ofthe access tokens is recorded as a transaction and included in a blockof the blockchain maintained by the blockchain network 130. Thus, thevalidation of the transaction (access request) is performed through theblockchain network 130. In an embodiment, the validation can beperformed prior to admitting an access to the protected entity 140. Inyet another embodiment, the validation is performed after an admissionis conditionally granted to the client. If the validation fails, theclient 120 is disconnected from the protected entity 140.

In an embodiment, the access tokens can be granted by the admissionsystem 110 after the client 120 performs computing challenges. Anexample for such challenges may include a requirement to solve amathematical function. As such, the client 120 is required to investcomputing resources to solve the function. For legitimate users it wouldbe a one-time challenge, but for attackers (bots) generating thousandsof requests it would drain their computing resources.

In exemplary embodiment the complexity of the admission system 110issued challenges to client 120 can be controlled by the admissionsystem 110 dynamically. The admission system 110 may increase ordecreases the challenge complexity according to one or more accessparameters, discussed herein.

In an embodiment, the admission system 110 is configured to protect aplurality of protected entities 140 the dynamic challenge cost can becontrolled by referencing the combined activity of the client 120accessing multiple protected entities. This allows the admission system110 to act as an anti-bot service.

As the challenge complexity increases, an embodiment can set thresholdson one or more access parameters and use the designated threshold toidentify a bot threat. Once a bot threat has been identified anembodiment can change the dynamic challenge strategy and set a newchallenge strategy, for example, setting an exponential growth challengecomplexity so the risk can be slowed down quickly.

According to another embodiment, a specific cost is associated withaccessing the protected entity 140. For example, various servicesprovided by the entity 140 would require different numbers of accesstokens. That is, the cost, in this embodiment, is defined by the numberand type of access tokens. The cost for accessing may be maintained in acentralized location, by the admission system 110, or by the protectedentity 140 or in any combination thereof. The client 120 is configuredto check the admission cost for accessing the protected entity 140. Ifthe client 120 does not possess enough access tokens (as recorded in theblockchain), the client 120 requests the admission system 110 foradditional access tokens. The request may designate any combination of anumber of access tokens and their types. To access the protected entity140, the access tokens are provided through the blockchain network 130.

In another embodiment, the admission cost is dynamically weighted andtwo or more different types of access tokens are utilized. In thisembodiment, to access the protected entity 140, the client 120 firstacquires a number of first-type access tokens from the admission system110. The protected entity 140 also requires a number of second-typeaccess tokens. Thus, the client 120 is configured to convert thefirst-type access tokens for the second-type access tokens using thetrust broker service 160. The conversion value can be dynamicallydetermined, e.g., per access request based on one or more parameters.Such parameters may be related to the client 120, the protected entity140, global indications, or a combination thereof. For example, thereputation, geographical location, or historical record as supplied bythe blockchain 130 network or the audit system 170 and rate of accesstokens spending may be parameters related to the client 120. A servicebeing accessed, and a current load may be parameters related to theprotected entity 140. An indication for an external source (not shown)an on-going attack campaign or the state of the internal anti-botfunction may be an indication for an ongoing attack.

The admission system 110 may issue more than one type of access tokensin a single transaction to the client 120. In an embodiment, atransaction issued may include a number of cryptocurrency tokens as wellas an SSL certificate issued to the client 120, the SSL certificate isgenerated by a certificate issuer (not drawn) and may include the client120 identity information, if such information was supplied as well asthe client 120 public key. The certificate may have a revocation datethat was influenced by the admission controller 110 one or more accessparameters.

The issued certificate can be used to establish a legacy secure servicethat does not have blockchain access for example an existing VPN, web oremail solution

The various embodiments for admission controls will be discussed infurther detail with reference to FIGS. 2-4.

FIG. 2 is an example flow diagram 200 illustrating a non-weightedblockchain-based admission process according to an embodiment. Theelements illustrated in FIG. 2 including the admission system 110, theclient 120, the blockchain network 130, and the protected entity 140,are described herein above with reference to FIG. 1.

At S210, the client 120 sends a request (201) to grant (“buy”) accesstokens from the admission system 110. The access tokens may be used toaccess the protected entity 140. In some embodiments, the request (201)is sent only after the client 120 successfully completes a challengeselected and set by the admission system 110. The challenge process isdiscussed in greater detail with reference to FIG. 7.

The request (201) may include a public key of the client 120 and mayfurther designate the entity to be accessed. The request (201) sent fromthe client 120 does not need to include any identifying information of auser of the client 120. The request (201) may be sent using a standardlayer-7 protocol, such as HTTP or HTTPS. In yet another embodiment, therequest (201) may be sent via the blockchain network 130 as anon-interactive payment of the admission service. The admission system110 may implement various known and unknown procedures such as, but notlimited to, client certificates, one-time pads (OTPs), and so on, toidentify, qualify, validate, check balances or historical recordlocations, or a combination thereof, of the client 120. When keeping theprivacy of the client 120 is mandatory, argument of knowledge such asSK-SNAKS and Zcach can be used instead of exposing the client identitydirectly.

In some embodiments, the request (201) may be trigged after the client120 failed to directly access the protected object 140. In such case,the protected object 140 may redirect a request from the client 120 tothe admission system 110.

At S220, upon identifying, validating, and approving the client's 120request for admission, the admission system 110 is configured to grant(202) a number of access tokens to the client 120. The access tokens aregranted (e.g., paid) to the client 120 through the blockchain network130 using the public key of the client 120. In yet another embodiment,when the access tokens are implemented using zero-knowledge arguments ofproof cryptography, such as ZK-SNARKs used in Zcash the public key ofthe client 120 may not be required.

It should be noted that in some configurations, when the client 120successfully passed a challenge set by the admission system 110, S210and S220 can be skipped, as the access tokens are granted as the client120 passes the challenge.

At S230, the client 120 is configured to identify, on the blockchainnetwork 130, the transaction ID holding the access tokens granted to theclient 120.

At S240, the client 120 is configured to add a transaction (203) to theblockchain network 130. The transaction (203) includes transaction data,a transaction hash value, and a hash value of a previous transaction(s).In an embodiment, the transaction may also include an arbitrary numberof metadata elements as specified and requested by the admission system110, the client 120 or the protected object 140. In an exampleembodiment, the transaction data may include a unique transaction ID, anumber of access tokens to pay for access, an identification of theadmission system 110 as the source granting the access tokens, and atarget service, application, or resource at the protected entity 140that the client 120 requests access to. It is not mandatory for thetransaction (203) to include any information identifying the client 120or a user using the client 120. A hash of transaction is cryptographichash of the transaction's content. The owner of the transaction, e.g.,the admission system 204 sign the transaction with its private key orother cryptographic identities. The transaction can be verified using apublic key of the transaction owner.

At S250, the client 120 sends an access request (204) to the protectedentity 140 to access a service or resource. For example, the accessrequest (204) may be to login to a user account, perform an action(e.g., download a file), access a secured resource, and so on. Therequest (204) may be sent using a standard layer-7 protocol, such asHTTP or HTTPS. The access request (204) can include the transaction IDof the transaction (203) to ease the protect entity 140 to look up forthe transaction, the protected entity 140 may search for a relevanttransaction in case that such transaction ID is not provided.

It should be noted that any access request sent from the client 120 tothe protected entity 140 remains pending until admission by theprotected entity 140. The access requests may be iteratively sent, untilaccess is granted. It should be further noted that the validation of thetransaction (access request) is performed through the blockchain network130. As noted above, the validation can be performed prior to admittingan access to the protected entity 140. Alternatively, the validation isperformed after an admission is conditionally granted to the client. Ifthe validation fails, the client 120 is disconnected from the protectedentity 140. In addition, the audit system 170 may log any failure tosuccessfully complete a challenge to at least determine the determinetrust of access value for the client, as discussed in detail below.

At S260, the protected entity 140 is configured to validate thetransaction (203) through the blockchain network 130. In an embodiment,such validation is performed by immediately spending the access tokensdesignated in the transaction (203) as payment to the admission system110. As a result, the transaction (203) is marked as “spent” in arespective block maintained in the blockchain network 130 and cannot bereferenced by again by the client. It should be noted that transactionsare never deleted from blocks maintained in the network 130.

At S270, once the transaction is validated and access tokens are paid,access is granted to the client 120 to access the target resource orservice at the protected entity 140. In an embodiment, the protectedentity 140 may use the number and type of access token paid to settemporal ACL on the accessing the client 120. That is, the access may belimited in time based on the number and type of access tokens beingpaid.

It should be noted that the access tokens are typically paid to theadmission system 110 upon fulfillment of the access request (204). Afulfillment of the access request (204) may include allowing the client120 to access the protected object 140, conditionally allowing theclient 120 access the protected object 140, or denying an access to theprotected object 140.

It should be further noted that each transaction (203) is a transfer ofa certain value of access tokens between the client 120, the system 110,and the entity 140. The blockchain block signature also prevents thetransaction from being altered once it has been issued. Although notillustrated in FIG. 2, all transactions are broadcast between nodes ofthe blockchain network 130 and validated through a mining process.

It should be further noted that, to grant the access tokens, theadmission system 110 and the client 120 may exchange their public keys.In order to revoke the access tokens, the system 110 and protectedentity 140 may exchange their public keys. That is, there is no directtransaction with respect to the utilization of the access tokens betweenthe client 120 and the protected entity 140. A key (private or public)may be a cryptography key. Alternatively or collectively, the protectedentity 140 and admission system 110 may employ other means of securecommunication, such as pre-shared keys. Furthermore, the admissionsystem 110, the client 120, and the protected entity 140 may be actingunder a public key infrastructure (PKI) or certificate authority (CA)mechanism.

As an example, an access token may be a chain of digital signatures. Thesystem 110 may transfer the access token to the client by digitallysigning a hash of the previous transaction and the public key of theprotected entity 140. The signatures (hash values) may be appended toeach access token. To grant an access to the client 120, the entity canvalidate the signatures to verify the chain of ownership.

FIG. 3 shows an example flow diagram 300 illustrating a cost-basedadmission process according to another embodiment. The elementsillustrated in FIG. 3 including the admission system 110, the client120, the blockchain network 130, and the protected entity 140, aredescribed herein above with reference to FIG. 1.

In this embodiment, there is a dynamic admission cost to access theprotected entity 140. The cost is defined by a number of access tokensthat may be set based on a target service, application, or resource atthe protected entity 140 from which an access is required; the behaviorof the client 120; or both. The cost is maintained in a cost table 301.In an embodiment, the cost table 301 may be managed and reside in theadmission system 110. Alternatively, the cost table 301 may be managedby an admission system 110, but saved in the centralized repository (notshown). This would allow the admission system 110, the protected entity140, or another arbitrator (not shown) to control the admission costsacross different protected entities, across different clients, or both.

In yet another embodiment, the cost table 301 is saved in the protectedentity 140 including the admission cost to access its services orresources. The cost table 301 may be managed by the protected entity 140or the admission system 110.

In yet another embodiment, the cost table 301 may be maintained in theblockchain network 130 as distributed records in the distributed ledger.This would allow for consistent maintenance of cost values. In such anembodiment, the cost table 301 may be managed by the admission system110 or the protected entity 140.

It should be noted that the cost table 301 discussed herein below refersto all of the different embodiments utilizing cost tables as describedherein.

At S310, the client 120 is configured to inquire about the admissioncost (i.e., the number of access tokens) required for accessing aspecific service or resource at the protected entity 140. The inquiry isto the cost table 301.

At S320, if the client 120 does not have sufficient access token valuein its wallet, the client 120 sends a request (302) to grant accesstokens from the admission system 110. The access tokens may be used toaccess the protected entity 140. As noted below, the admission system110 may implement different business flows to identify, qualify, orvalidate the client 120, or a combination thereof. In some embodiments,the request (302) is sent only after the client 120 successfullycompletes a challenge selected and set by the admission system 110. Thechallenge process is discussed in greater detail with reference to FIG.7.

At S330, upon identifying, qualifying, or validating, and approving theclient's 120 request for admission, the admission system 110 isconfigured to grant (202) a number of access tokens to the client 120.The access tokens are granted (e.g., paid) to the client 120 through theblockchain network 130 using the public key of the admission system 110.The number of granted access tokens should be enough to satisfy theadmission cost designated in the cost table 301. It should be noted thatif the client 120 already has enough tokens (e.g., as verified via theblockchain network 130), or the client 120 successfully passes thechallenge S320 and S330 are not performed.

At S340, the client 120 identifies, on the blockchain network 130, thetransaction ID holding the access tokens granted to the client 120. Theidentified tokens may be stored in a cryptocurrency wallet included inthe client 120.

At S350, the client 120 is configured to add a transaction (303) to theblockchain maintained by the blockchain network 130. The transaction(303) includes transaction data, a transaction hash value, and a hashvalue of a previous transaction(s). In an example embodiment, thetransaction data may include a number of access tokens to pay foraccess, an identification of admission system 110 as the source grantingthe access tokens, and a target service, application or resource at theprotected entity 140 that the client 120 requests to access. Thetransaction (303) does not include any information identifying theclient 120 or its user. In an embodiment, the transaction may alsoinclude an arbitrary number of metadata elements as specified andrequested by the admission system 110, the client 120 or the protectedobject 140.

At S360, the client 120 is configured to send an access request (304) tothe protected entity 140. The access request (304) includes thetransaction ID of the transaction added to the blockchain. As mentionedabove, the access request (304) can include the transaction ID of thetransaction (303) to ease the protected entity 140 to look up for thetransaction, the protected entity 140 may search for a relevanttransaction in case that such transaction ID is not provided. As furthernoted above, any access request sent from the client 120 to theprotected entity 140 is pending admission by the protected entity 140.

At S370, the protected entity 140 is configured to validate thetransaction (303) through the blockchain network 130. As noted above,such validation is performed by immediately spending the access tokensdesignated in the transaction (304) as payment to the admission system110. As a result, the transaction (304) is removed from a respectiveblock maintained in the blockchain network 130 and cannot be referencedagain by the client 120.

At S380, once the transaction is validated and tokens are paid, accessis granted to the client 120 to access the target resource or service atthe protected entity 140. As noted above, the protected entity 140 mayuse the number and type of access token paid to set a temporary ACL onthe accessing the client 120. That is, the access may be limited in timebased on the number and type of access tokens being paid.

In some embodiments, S380 may further include updating the cost table301, e.g., increasing or decreasing the cost associated with accessingthe protected entity 140. The cost may be updated based on of theparameters discussed herein above by the entity managing the cost table301 (e.g., the admission system 110, the protected entity 140, etc.)

As mentioned above, each transaction (e.g., a transaction 304) is atransfer of a certain value of access tokens between the client 120, theadmission system 110, and the protected entity 140, each of which maymaintain a cryptocurrency wallet. Further, to grant the access tokens,the admission system 110 and the client 120 may exchange their publickeys. In order to revoke the access tokens, the admission system 110 andthe protected entity 140 may exchange their public keys. That is, thereis no direct transaction with respect to the utilization of the accesstokens between the client 120 and the protected entity 140. A key(private or public) is a cryptographic key.

FIG. 4 shows an example flow diagram 400 illustrating a weightedblockchain-based admission process according to an embodiment. Theelements illustrated in FIG. 4 including the admission system 110, theclient 120, the blockchain network 130, the protected entity 140, andthe trust broker 160 are described herein above with reference to FIG.1.

In this embodiment, two types of access tokens are used, where aconversion value is dynamically determined for converting the first-typeto the second-type of the access tokens. For example, the conversionvalue may be determined per access request, per conversion-tokentransaction, per session, or a combination thereof. In essence, theconversion value determines the admission cost, but in this embodiment,such cost is dynamically updated based on a plurality of accessparameters. Further, there is no need to maintain any data structure(e.g., the cost table 301, FIG. 3). In an embodiment, the conversionvalue is determined by the trust broker 160.

The weighted admission process weights the risk of false positivedetection of attacker admission against the risk of false negativedetection of legitimate user denial of admission. The weighted admissionprocess allows a defender to scale a cost to access a protected entitylinearly with the attack, while exponentially increasing the admissioncost as, for example, the volume of the attack, type of attack, andother risk factors associated with the attack.

To this end, the conversion value is dynamically determined based on oneor more access parameters, the interaction between the accessparameters, or both. A first group of access parameters are related tothe client 120. A reputation of the client 120, determined by the system110 or received from an external service, can be utilized to determinethe conversion value. That is, a bad reputation would lead to a higherconversion value, and vice versa. The geographical location of theclient 120 can determine the conversion value. For example, a client 120from a “reputable” country (e.g., USA) would positively affect theconversion value. A behavior of the client 120 can also determine theconversion value. The admission system 110, the trust broker 160, orboth, may monitor the activity of the client 120 across multipleprotected entities, non-protected entities, or both, to detect anysuspicious activity and determine the conversion value respectivethereof. For example, a client that frequently requests additionalaccess tokens may be classified as suspicious (e.g., a bot), which wouldlead to a higher conversion value. As another example, a client 120 thatdoes not perform any malicious activity may be classified as legitimate,which would lead to a lower conversion value.

The conversion value can be determined over multiple access tokensrepresenting different granular admission rights. For example,read-access-tokens indicting the client 120 admission may incur lowercost than write-access-tokens indicting the client permissions to editdata and incur higher cost therefor controlling the client temporalauthorization in fine granularity over multiple dimensions as dictatedby risk analysis and the protected entity admission granularity.

A second group of access parameters are related to the protected entity140. For example, a sensitive resource or service of the protectedentity 140 would require a higher conversion value, regardless of thetrustworthiness of the client 120. As another example, the current loadon the protected entity 140 may affect the conversion value, i.e., thehigher the load the higher the conversion value is.

In an embodiment, a network load balancer or and ADC (not shown)deployed in network 150 anywhere in the path of client 120 or protectedentity 140 can be used to provide load and utilization data as suchexternal data.

A third group of access parameters are global indications. An indicationof an-going cyber-attack against the protected entity or other entitiesin the network is considered as a global parameter. A volume of anon-going attack is also considered as a global parameter. Suchindications may be received from external systems (not shown) connectedto the admission system 110, the trust broker 160, or both. For example,an indication of an on-going cyber-attack would lead to a higherconversion value. Other examples for global parameters may include timeof the day, certain day (weekends, weekdays, or holidays), and the like.

In all of the above example access parameters, the weight (i.e.,conversion value) can be adapted as a non-linear function. Thenon-linear function does not impact legitimate users that occasionallyaccess the protected entity 140, but such a function significantlyimpacts attackers frequently accessing the protected entity 140. Thus,using the access parameters to determine the conversion value allows to“discriminate” among clients, while the clients can maintain theirprivacy. The mentioned above example access parameters may be determinedbased on historical data logged in the audit system 170. For example,such data may include the identified conversion transaction, determinedconversion values, and more.

At S410, the client 120 is configured to send a request (401) for grant(buy) of access tokens from the admission system 110. The access tokensmay be used to access the protected entity 140 only after beingconverted. That is, a first-type of access token is required. In anembodiment, the request (401) includes a public key of the client 120and may further designate the entity to be accessed. In anotherembodiment, the first-type of access token is based on zero-knowledgecryptography and does not require a public key. As an example, theaccess token can be implemented using Zcash technologies.

The request (401) sent from the client 120 does not need to include anyidentifying information on a user of the client 120. The request (401)may be sent using a standard layer-7 protocol, such as HTTP or HTTPS.The admission system 110 may implement different business flows toidentify, qualify, or validate the client 120, or a combination thereof.

As noted above, in some embodiments, the request (401) may be triggedafter the client 120 failed to directly access the protected object 140.In such case, the protected object 140 may redirect a request from theclient 120 to the admission system 110. In some embodiments, the request(401) is sent only after the client 120 successfully completes achallenge selected and set by the admission system 110. The challengeprocess is discussed in greater detail with reference to FIG. 7.

At S420, upon identifying, validating, and approving the client's 120request for admission, the admission system 110 is configured to grant anumber of first-type access tokens to the client 120. The access tokensare granted (e.g., paid) to the client 120 through the blockchainnetwork 130 using the public key of the client 120. In yet anotherembodiment, when the access tokens are implemented using zero-knowledgearguments of proof cryptography, such as ZK-SNARKs used in Zcash, thepublic key of the client 120 may not be required. When admission system110 grants the first type access token, the system 110 add metadata inthe blockchain network's 130 transaction record.

At S430, the client 120 is configured to identify, on the blockchainnetwork 130, the transaction ID holding the first-type access tokensgranted to the client 120. The tokens may be stored in a cryptocurrencywallet included in the client 120.

It should be noted that S410-S430 may not be performed if the client 120holds enough first-type access tokens, for example, from previoustransaction(s).

At S440, the client 120 is configured to add a transaction (402) to theblockchain network 130 to convert the first-type of access tokens with asecond-type of access tokens. The transaction (402) includes transactiondata, a transaction hash value, and a hash value of a previoustransaction(s). In an example embodiment, the transaction data mayinclude a unique transaction ID, a number of available first-type accesstokens, an identification of the admission system 110 as the sourcegranting the access tokens, and a target service or resource at theprotected entity 140 that the client 120 requests to access. Thetransaction (402) does not need to include any information identifyingthe client 120 or a user using the client 120.

At S450, the trust broker 160, is configured to identify the transactionID of the transaction (402) and determine the conversion value for thetransaction (402) based on one or more access parameters. As notedabove, such parameters may be related to the client 120, the protectedentity 140, or any global indication. It should be noted that in someembodiments, the trust broker 160 may be integrated in the admissionsystem 110. Thus, the admission system 110 may perform the conversionoperation. Further, the admission system 110, trust broker 160, or bothcan be implemented as a distributed system.

In an embodiment, the conversion transaction can be realized as a smartcontract written on the Ethereum network EVN or other blockchainnetwork. In another embodiment, the conversion transaction can berealized using off-chain Oracle.

As a result, the admission system 110 is configured to grant a number ofsecond-type access tokens to the client 120 based on the conversionvalue. Such second-type access tokens are paid to the client 120 throughthe blockchain network 130 using, for example, a public key of theclient 120. In an example implementation, the first and secondaccess-tokens may be different types of cryptography currencies. Forexample, the first-type token may be a Zcash coin and the second-typetoken may be Ethereum.

It should be noted that the first-type and second-type of access tokenscan be granted during different sessions. That is, the conversion of thefirst-type and second-type access tokens may not occur immediately afterthe first-type of access tokens are granted. That is, the client 110 mayhold the first-type access tokens in its wallet or as unspenttransactions in the ledger and request the conversion only when it isrequired to access the protected entity. Further, the first-type ofaccess tokens may be a global currency, while the second-type of accesstoken may be specific to certain types of protected entities. That is,various types of “second-types” tokens can be used. It should be furthernoted that, once the second-type of access tokens are granted to theclient, the previous transaction, i.e., the transaction (402), is spentfrom a block maintained in the blockchain network 130 and cannot bereferenced again by the client 120.

At S460, the client 120 is configured to identify, on the blockchainnetwork 130, the transaction ID holding the second-type of accesstokens. The tokens may be stored in a cryptocurrency wallet included inthe client 120.

At S470, the client 120 is configured to add a new transaction (403) tothe blockchain network 130 to convert the first-type access tokens witha second-type access tokens. The transaction (403) includes transactiondata, a transaction hash value, and a hash value of a previoustransaction(s). In an example embodiment, the transaction data mayinclude a unique transaction ID, a number of available second-typeaccess tokens an identification of admission system 110 as the sourcegranting the access tokens, and a target service or resource at theprotected entity 140 that the client 120 requests to access. In anembodiment, the transaction may also include an arbitrary number ofmetadata elements as specified and requested by the admission system110, the client 120 or the protected object 140.

At S480, the client 120 is configured to send an access request (404) tothe protected entity 140. As mentioned above, the access request (404)can include the transaction ID of the transaction (403) to ease theprotected entity 140 to look up for the transaction, the protectedentity 140 may search for a relevant transaction in case that suchtransaction ID is not provided. As further noted above, any accessrequest sent from the client 120 to the protected entity 140 is pendingadmission by the protected entity 140.

At S490, the protected entity 140 is configured to validate thetransaction (403) through the blockchain network 130. In an embodiment,such validation is performed by immediately spending the second-typeaccess tokens designated in the transaction (403) as payment to theadmission system 110. As a result, the transaction (403) is marked asspent in a respective block maintained in the blockchain network 130 andcannot be referenced by again by the client 120.

At S495, once the transaction is validated and access tokens are paid,access is granted to the client 120 to access the target resource orservice at the protected entity 140.

As mentioned above, each transaction (e.g., the transactions 402 and403) is a transfer of a certain value of access tokens between theclient 120, the admission system 110, and the protected entity 140, eachof which may maintain a cryptocurrency wallet. Such information may belogged in an audit system (e.g., the audit system 170, FIG. 1). Thisallow the admission system 110 and the trust broker 160 to derive thefull history of transactions between the client 120, the admissionsystem 110, and the trust broker 160. Further, to provide access tokens,the admission system 110 and the client 120 may exchange their publickeys. In order to “spend”, the access tokens, the admission system 110and the protected entity 140 may exchange their public keys. That is,there is no direct transaction with respect to the utilization of theaccess tokens between the client 120 and the protected entity 140. A key(private or public) is a cryptographic key.

It should be appreciated that the disclosed embodiments provide animproved security solution as the bots would not be able to access andload protected entities with access requests. That is, by shifting theprocessing to malicious clients (through access tokens processing), theprotected entities would remain free to handle legitimate requests withmore available computing resources. Further, the protected entitieswould not require executing authentication processes, thereby furtherreducing the utilization of computing resources by such entities.

FIG. 5 is an example flowchart illustrating a method forblockchain-based admission to a protected entity according to anembodiment.

At S510, a request to grant access tokens of a first-type is receivedfrom a client. The client utilizes the first-type access tokens as ameans to later access a protected entity.

At S520, upon validating and approving the request, a first-type ofaccess tokens are granted to the client. As noted above, such tokens canbe paid (sent) the client directly or through the blockchain network.

At S530, a transaction to convert the first-type of access tokens withaccess tokens of a second-type is identified on the blockchain network.The transaction data of the conversion transaction may designate, forexample, the protected entity to access and a number of availablefirst-type access tokens. The conversion transaction may also bedirected to exchange cryptographic identities (e.g., keys or argument ofknowledge) between the owners of the first and second access tokens. Tothis end, the conversion transaction may designate the public keys of,for example, the trust broker and the client.

It should be noted that the request to grant first type of tokens andthe conversion transaction are separate and the cryptographic identitiesare not shared between such requests. Further, no entity (user, owner ofthe trust broker, etc.) needs to reveal its (real) identity to receiveand/or convert tokens. It should be further noted that the entityreceiving the first-type of access token and the entity requesting theconversion to the second entity may be different entities.

At S540, a conversion value for converting the first-type of accesstokens into the second-type of access tokens is determined. As discussedin detail above, the conversion value is determined based on one or moreaccess parameters. Examples of which are provided above.

At S550, based on the determined conversion value, a first sum of thefirst-type of access tokens is converted into a second sum of thesecond-type of access-tokens. The first-type and second-type of accesstokens may be different cryptocurrencies. The second-type of accesstokens are paid or sent to a client or any other entity requesting theconversion. As noted above, the client uses the second-type of accesstoken to access the protected entity. To this end, an access request issent from the client to the protected entity. In order to allow accessor admission, the protected entity identifies, in the blockchain network130, the second-type of access tokens of the client, and further spendssuch tokens to allow payment the admission system. It should be notedthat revoking of tokens does not delete any transaction records.

In response, at S560, the second-type of access tokens are received as apayment from the protected entity. At S570, upon receipt of thesecond-type of access tokens, an admission or access to the protectedentity is granted to the client. It should be noted that the number ofsecond-type of access tokens to be converted is determined by theconversion value. There is a minimum number of access-tokens required tothe access the protected entity. Such number is determined regardless ofthe access parameters. The access parameters define the number offirst-type of access tokens required to be converted to reach theminimum number of access-tokens. For example, if the minimum number ofsecond-type access tokens is 10, then a client-A may need to convert 40first-type of access tokens, while a client-B may be required to convertonly 5 first-type of access tokens.

In an embodiment, the method discussed herein can be performed by theadmission system (110). In such embodiment, the admission systemimplements or includes the trust broker (160).

FIG. 6 is an example block diagram of the admission system 110 accordingto an embodiment. The admission system 110 includes a processingcircuitry 610 coupled to a memory 620, a storage 630, and a networkinterface 640. In an embodiment, the components of the admission system110 may be communicatively connected via a bus 650.

The processing circuitry 610 may be realized as one or more hardwarelogic components and circuits. For example, and without limitation,illustrative types of hardware logic components that can be used includefield programmable gate arrays (FPGAs), application-specific integratedcircuits (ASICs), Application-specific standard products (ASSPs), GPUs,system-on-a-chip systems (SOCs), general-purpose microprocessors,microcontrollers, digital signal processors (DSPs), and the like, or anyother hardware logic components that can perform calculations or othermanipulations of information. In an embodiment, the processing circuitry610 (or the entire system 110) may be implemented as a Turing machineover the blockchain network.

The memory 620 may be volatile (e.g., RAM, etc.), non-volatile (e.g.,ROM, flash memory, etc.), or a combination thereof. In oneconfiguration, computer readable instructions to implement one or moreembodiments disclosed herein may be stored in the storage 630.

In another embodiment, the memory 620 is configured to store software.Software shall be construed broadly to mean any type of instructions,whether referred to as software, firmware, middleware, microcode,hardware description language, or otherwise. Instructions may includecode (e.g., in source code format, binary code format, executable codeformat, or any other suitable format of code). The instructions, whenexecuted by the one or more processors, cause the processing circuitry210 to perform the various processes described herein. Specifically, theinstructions, when executed, cause the processing circuitry 610 toperform blockchain-based admission, as discussed hereinabove. In afurther embodiment, the memory 620 may further include a memory portion625 including the instructions.

The storage 630 may be magnetic storage, optical storage, and the like,and may be realized, for example, as flash memory or other memorytechnology, CD-ROM, Digital Versatile Disks (DVDs), hard-drives, SSD, orany other medium which can be used to store the desired information,such as log of transactions, public keys, and so on.

The network interface 640 allows the admission system 110 to communicatewith the blockchain network, clients, trust broker, and protectedentities. The network interface 640 further peer-to-peer communicationwith these elements.

It should be understood that the embodiments described herein are notlimited to the specific architecture illustrated in FIG. 6, and thatother architectures may be equally used without departing from the scopeof the disclosed embodiments.

It should be further noted that the trust broker 160 may be realizedusing a computing architecture, similar to the architecture illustratedin FIG. 6, and that other architectures may be equally used withoutdeparting from the scope of the disclosed embodiments. Further, thememory 620 may include instructions for executing the function of thetrust broker 160.

FIG. 7 is an example flow diagram 700 illustrating a challenge processutilized in the any of the admission processes described above. Theelements illustrated in FIG. 7 including the admission system 110, theclient 120, the blockchain network 130, and the protected entity 140,are described herein above with reference to FIG. 1.

A S710, the client 120 sends a request (701) to create an anti-botclient identity and request a challenge. The requested identity will beused by the client 120 to access into one or more protected entities140. In an embodiment, the request (701) may already contain a publickey of the client 120. In another embodiment, the request (701) does notinclude such a key, and the admission system 110 may assign a key to theclient 120 and generate a token ID.

The request (701) sent from the client 120 does not need to include anyidentifying information of a user of the client 120. The request (701)may be sent using a standard layer-7 protocol, such as HTTP or HTTPS. Inyet another embodiment, the request (701) can be delivered using theblockchain network 130. The admission system 110 may implement variousknown and unknown procedures such as, but not limited to, clientfingerprinting, client certificates, human identification techniquessuch as CAPTHAs and other proof of knowledge techniques to furtherstrengthen the understanding of client 120 natures.

In some embodiments, the request (701) may be trigged after the client120 failed to directly access the protected entity 140. In such case,the protected entity 140 may redirect a request from the client 120 tothe admission system 110.

At S720, upon identifying, validating, and approving the request (701),the admission system 110 selects a challenge and sends the challenge tothe client 120 together with other needed information such as sessionIDs or token IDs.

In an embodiment, the admission system 110 can interrogate other sourcesfor information before selecting a challenge. Examples for such sourcesinclude external databases, reputation services, the anti-bot systemhistorical records, the protected entity historical records, and thelike.

The selected challenge is characterized by the type and optionallycomplexity and may contain a randomly selectable seed value. As anexample, the admission system 110 generates a random seed number, thenselects a SHA256 challenge and sets the complexity requesting the client120 to find a string that together with the seed would result with aSHA256 number with a certain probability.

In other embodiment, the request 701 and the response 702 can be skippedall together if the client 120 choses to follow a non-interactivechallenge path. In such non-interactive embodiment, the client 120 canchose a challenge from a pool of challenges available in an externalregistry (not shown). The registry may be part of the blockchain network130. In yet another embodiment, the challenge can be based on time ofday and the time delta between the selected time of day and the actualtime stamp in the 703 blockchain message deposits.

At S730, the client 120 completes the challenge and deposits the resultof the challenge in the blockchain network 130.

At S740, the admission system 110 validates the deposited challenge.This can be performed by monitoring the blockchain network 130 or byreceiving a notification from the client 120.

At S750, upon validating the challenge's results, the admission system110 is configured to deposit access tokens directly in the blockchainnetwork 130 via a transaction 704 without waiting for explicit requestfrom the client 120. Alternatively, the admission system 110 can notifythe client 120 of such deposit via a message 705.

It should be noted that, that if the challenge fails, no access tokensare deposited to the client 120. The audit system 170 may log anyfailure to successfully complete a challenge to at least determine thedetermine trust of access value for the client, as discussed hereinabove.

The various embodiments disclosed herein can be implemented as anycombination of hardware, firmware, and software. Moreover, the softwareis preferably implemented as an application program tangibly embodied ona program storage unit or computer readable medium. The applicationprogram may be uploaded to, and executed by, a machine comprising anysuitable architecture. Preferably, the machine is implemented on acomputer platform having hardware such as one or more central processingunits (“CPUs”), a memory, and input/output interfaces. The computerplatform may also include an operating system and microinstruction code.The various processes and functions described herein may be either partof the microinstruction code or part of the application program, or anycombination thereof, which may be executed by a CPU, whether or not suchcomputer or processor is explicitly shown. In addition, various otherperipheral units may be connected to the computer platform such as anadditional data storage unit and a printing unit. Furthermore, anon-transitory computer readable medium is any computer readable mediumexcept for a transitory propagating signal.

It should be understood that any reference to an element herein using adesignation such as “first,” “second,” and so forth does not generallylimit the quantity or order of those elements. Rather, thesedesignations are generally used herein as a convenient method ofdistinguishing between two or more elements or instances of an element.Thus, a reference to first and second elements does not mean that onlytwo elements may be employed there or that the first element mustprecede the second element in some manner. Also, unless stated otherwisea set of elements comprises one or more elements. In addition,terminology of the form “at least one of A, B, or C” or “one or more ofA, B, or C” or “at least one of the group consisting of A, B, and C” or“at least one of A, B, and C” used in the description or the claimsmeans “A or B or C or any combination of these elements.” For example,this terminology may include A, or B, or C, or A and B, or A and C, or Aand B and C, or 2A, or 2B, or 2C, and so on.

All examples and conditional language recited herein are intended forpedagogical purposes to aid the reader in understanding the disclosedembodiments and the concepts contributed by the inventor to furtheringthe art, and are to be construed as being without limitation to suchspecifically recited examples and conditions. Moreover, all statementsherein reciting principles, aspects, and embodiments of the invention,as well as specific examples thereof, are intended to encompass bothstructural and functional equivalents thereof. Additionally, it isintended that such equivalents include both currently known equivalentsas well as equivalents developed in the future, i.e., any elementsdeveloped that perform the same function, regardless of structure.

What is claimed is:
 1. A method for controlling access to a protectedentity, comprising: receiving a redirected client request to access theprotected entity that was denied by the protected entity; granting, inresponse to the received redirected request, access tokens of a firsttype to a client; identifying a conversion transaction identifying arequest to convert the first type of access tokens with access tokens ofa second type, wherein the transaction designates at least the protectedentity; determining a conversion value for converting the first type ofaccess tokens into the second type of access tokens, wherein theconversion value is determined based on at least one access parameter;converting, based on the determined conversion value, a first sum of thefirst type of access tokens into a second sum of the second type ofaccess tokens; and granting the client access to the protected entitywhen the sum of the second type of access tokens is received as apayment from the protected entity.
 2. The method of claim 1, whereingranting the client access to the protected entity further comprises:validating the client based on at least a predefined condition, whereinthe first-type access tokens are granted only upon successful validationof the client.
 3. The method of claim 1, wherein the first-type accesstokens and the second-type access tokens are different types.
 4. Themethod of claim 3, wherein the first-type access tokens and thesecond-type access tokens are cryptocurrency tokens having differentcryptographic identities.
 5. The method of claim 1, wherein the leastone access parameter weights a risk of false positive of granting accessto an illegitimate client and of false negative of denying access of alegitimate client.
 6. The method of claim 1, wherein the at least oneaccess parameter is related to any one of: the client, the protectedentity, and at least one global indication.
 7. The method of claim 1,wherein determining the conversion value further comprises: dynamicallychanging the conversion value based on at least one access parameter. 8.The method of claim 7, wherein the conversion value is dynamicallychanged based on any one of: per transaction, per access request fromthe client, and per session.
 9. The method of claim 1, furthercomprising: conditionally granting the client access to the protectedentity; and revoking the conditionally granted access, when atransaction holding the sum of the second type of access tokens is notidentified.
 10. The method of claim 1, wherein the conversiontransaction includes transaction data, a transaction hash value, and aprevious transaction hash value, wherein the transaction data includes aunique transaction identifier (ID), a number of available first-typeaccess tokens, an identification of a source granting the first-typeaccess tokens, and an identifier of the protected entity.
 11. The methodof claim 10, wherein the conversion transaction does not includeinformation identifying at least one of: the client and a user of theclient.
 12. The method of claim 1, further comprising: logging at leastthe identified conversion transaction and the determined conversionvalue.
 13. A non-transitory computer readable medium having storedthereon instructions for causing one or more processing units to executethe method according to claim
 1. 14. An access system for controllingaccess to a protected entity, comprising: a processing circuitry; and amemory, the memory containing instructions that when, executed by theprocessing circuitry, configure the access system to: receive aredirected client request to access the protected entity that was deniedby the protected entity; grant, in response to the received redirectedrequest, access tokens of a first type to a client; identify aconversion transaction identifying a conversion of the first type ofaccess tokens with access tokens of a second type, wherein thetransaction designates at least the protected entity; determine aconversion value for converting the first type of access tokens into thesecond type of access tokens, wherein the conversion value is determinedbased on at least one access parameter; convert, based on the determinedconversion value, a first sum of the first type of access tokens into asecond sum of the second type of access tokens; and grant the clientaccess to the protected entity when the sum of the second type of accesstokens is received as a payment from the protected entity.